All accounts are listed at the left of the Accounts preferences window. Below
each user's long name is an indication of the type of user. Administrators
are listed as Admin, and normal users are listed as Standard, Managed, or
Simplified, depending on the Limitations settings.

Each of the listed user accounts also has its own home folder in /Users and
owns any files that are created when someone is logged in as that user. The
superuser is not a standard user account and doesn't appear in this list,
nor does it have a home directory.

If you're logged in as an administrator, you can immediately begin
making changes to the Accounts preferences of any account that's not
currently logged in. Otherwise, the lock icon in the lower-left corner of the
Accounts preferences window is closed. To make changes, click the lock icon and
enter the username and password of any administrator account on the computer.
This step doesn't log you in as that administrator, but it does temporarily
give you the privileges of that administrator to change preferences.

Specifying Name and Password

As mentioned earlier, you can have as many administrator and normal accounts
as you need. To create a new account, click the Add User (plus sign) button. If
it's not already visible, the Password pane appears (see figure).

Figure 31 The first
step to creating an account is to specify the name and password.

At the very least, you must provide a long name and a short name for each new
user, but you should also specify and verify a secure password, (see the section
"Creating Good Passwords"). The optional hint appears in the login
window if an incorrect password is entered three times in a row. Therefore, the
hint should not be the password itself, lest anyone be able to gain access to
that account.

Once you've entered the name and password information, just switch to
another pane, add another new user, or quit System Preferences. Mac OS X then
creates the new account with its own home directory in the /Users folder.

After you've created a new account, you can edit it by clicking among
the four buttons along the top of the window.

Specifying the Picture

Click Picture if you want to select a different picture to appear next to
your name in the login window (see the following figure). This picture is also
used as your Address Book picture and as the default picture in iChat (you can
change your picture in those applications without affecting the picture in
Accounts preferences). Personally, I find this to be mere window dressing, but
if you want to customize your picture, it's easy to do.

Apple provides an assortment of professionally produced images (the files are
stored in /Library/User Pictures). To use any of Apple's images, just click
the one you want from the list at right. But if you want to use your own image,
click Edit (see figure).

Choose from the Recent Pictures pop-up menu at the top of the Images window
if you want to revert to one of the 18 most recently used pictures.

If you have an iSight or similar videocamera attached to your Mac, click Take
Video Snapshot. The window shows a live image from the camera and snaps a
picture after several seconds of beeping. Repeat as necessary until you get a
photo that looks better than your driver's license.

If you'd like to use an image file, you can drag-and-drop it into the
window or click Choose and navigate to its location on disk. The picture can be
in GIF, JPEG, PDF, PNG, TIFF, or any other graphic format that QuickTime
understands. Apple recommends using only images that are 64x64 pixels in size,
but you can ignore that advice. Within the Images window, drag your picture so
that the portion you want to use is in the clear center crop box, and then drag
the slider so that the picture is sized to fit.

When you're finished, click Set to return to the Picture pane of
Accounts preferences.

Specifying Security Options

By default, each new user has a normal account, but you can change that
setting easily. In Accounts preferences, click Security. The checkbox setting at
the bottom of the pane determines whether this user has a normal or
administrator account (see figure).

Figure 34 The checkbox
on the Security pane toggles between a normal and an administrator account.

Select the "Allow user to administer this computer" checkbox if you
want to convert a normal user into an administrator. Once this checkbox is
selected, the Limitations button is dimmed because the user now has all the
privileges associated with being an administrator.

Specifying Limitations

When modifying a normal account, the Limitations pane allows the
administrator user to limit what the user can do on the computer (see
figure).

Figure 35 The
user's account is listed as Standard when No Limits is selected.

By default, new normal users have no limitations other than those imposed by
Mac OS X based upon the fact that the user is not an administrator. If you
specify limitations for a user in either the Some Limits or Simple Finder pane,
but want to temporarily suspend those limitations, click No Limits. Mac OS X
remembers the limitation settings of the other panes, but doesn't enforce
them.

TIP

An example of a time when you might want to temporarily suspend limitations
may be that the user normally isn't allowed to burn discs (to avoid having
users take home stuff they're not supposed to have outside the office), but
must take work home every now and then. You could lift the limit so she can burn
legit docs while you watch, and then restore the limit afterward.

Click Some Limits if you want precise control over how a user can interact
with the computer (see figure).

Figure 36 The
user's account is listed as Managed when Some Limits is selected.

The first four checkboxes in the Some Limits pane determine which actions the
user can perform:

If you don't want to be bothered to supply your administrator password
whenever this user wants to change a system preference, select the Open All
System Preferences checkbox to allow the user to make changes.

You can't select the "Change password" checkbox unless the
"Open all System Preferences" checkbox is first selected. Even if you
trust a user to change preferences, you may still opt to block the user's
ability to change the password, to avoid headaches if the user forgets the new
password or changes it to something insecure.

Select the "Modify the Dock" checkbox if you want the user to be
able to alter the Dock.

Select the "Burn CDs and DVDs" checkbox if the computer has an
optical drive and you want the user to be able to use it for writing, not just
reading. You might want to restrict this capability, for example, if you fear
that an employee might use it to steal company secrets or a child might burn
porn DVDs.

Select the checkbox "This user can only use these applications" if
you want to restrict access to certain applications and utilities. You then need
to click the disclosure triangles and select the checkboxes for the acceptable
applications. You could use this technique to punish a teenager, for example, by
rescinding the ability to listen to music in iTunes.

Click Simple Finder to impose the most draconian of limitations upon a user
(see figure).

Figure 37 The
user's account is listed as Simplified when Simple Finder is selected.

Simple Finder provides a simplified view of the desktop and is intended for
anyone who may be challenged by the complexity of the traditional Finder (see
the following figure). The unmodifiable Dock in Simple Finder contain only three
icons: My Applications, Documents, and Shared. Users can't create new
folders, but they can open any folders that appear in the Documents and Shared
folders.

If the user clicks the My Applications folder in the Dock, a window appears
showing aliases for only those applications that you have specifically allowed.
Instead of having to double-click an icon to launch a program, only a single
click is required. The numbered buttons along the bottom of the window allow you
to see additional items.

Simple Finder has very few menus and commands in the menu bar. If you choose
File > Run Full Finder, you must enter an administrator username and password
to temporarily restore the Finder menus and commands. Even so, some limitations
remain (such as the inability to access System Preferences).

Specifying Startup Items

If you're modifying your own account, by clicking Startup Items you can
specify which items to open automatically when you log in (see figure).

To add an item to the Startup Items pane, click the Add icon in the
lower-left corner of the window and choose the item you want (you can
Shift-click or Command-click to select multiple items at once). The Startup
Items feature is obviously a timesaver if you always use the same documents or
applications and want them to open immediately when you log into your account.
But what you may not realize is that Startup Items can also open folders and
servers. After mounting a server, just drag its icon into the Startup Items list
(this shortcut works for other items, too). If you saved your username and
password to the keychain in the Options window when connecting to the server, it
will mount in the future without bothering you for this information again.

The checkboxes in the Startup Items pane cause the item to open in the
background. This may be useful if you're opening a lot of items and
don't want the screen cluttered with so many windows.

Once items are in the list, you can drag them to specify the order in which
they open, or select an item and click the Minus icon to remove the item from
the list permanently.

Finally, you can temporarily prevent all of the startup items from opening.
After you enter your username and password in the login window, hold down the
Shift key until the Finder appears.

Setting Login Options

If you're an administrator user, you can configure login options for the
computer. In Accounts preferences, click the Login Options button (see
figure).

If you have only a few accounts on this computer, you may want to display the
list of all users in the login window. This option is somewhat insecure in that
it gives potential hackers half the information they need (a valid username) to
break into your computer. If security is a concern, or you have more accounts
than the list can hold in the login window, choose to display only the name and
password fields. This technique forces users to enter a valid username and
password to log in.

If there's only one account on your computer and your Mac is in a secure
location, you may soon tire of having to log in manually. If that's the
case, select the "Automatically log in as" checkbox in the Accounts
preferences window and choose a user from the corresponding pop-up menu. You
will then be prompted for the password (if any) for that account. The next time
the computer boots, Mac OS X automatically logs into that account.

You can also hide the Sleep, Restart, and Shut Down buttons that normally
appear at the bottom of the login window. This feature is an attempt to keep
other users from restarting in an insecure mode, but they can always circumvent
this design by using the restart or power buttons on the computer itself.

Finally, you can enable fast user switching in the Login Options pane. This
feature lets multiple users share a computer without quitting applications and
logging out. See the section "Switching Between Users" for
details.